CCleaner Vulnerability Brief

Image used for CCleaner fix article from Bay Area Precision IT ConsultingCCleaner Vulnerability Brief

For our Bay Area clients and other Bay Area IT support teams, you may have been aware of a recent incident with a free security tool called CCleaner. The following is a briefing from one of our Technical Engineers that provides background to this issue and ways to fix it.

Overview:
CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 were found to have unauthorized code published in their updates between August 15th and September 12th. This code contained a backdoor called Floxif which collected information about the computer and sent it to a Command-and-Control Server. Once the CnC has received info about the infected computer, it can reply with a payload that is then downloaded and executed on the infected computer.

Mitigation:
If you have an impacted version check to ensure there are no registry entries in HKLM\SOFTWARE\Piriform\Agomo, precisely NID, TCID, and MUID.
Uninstall CCleaner
Run Virus/Malware Scans
Don’t run 3rd party tools consumer tools on corporate networks

Note:
Piriform/Avast has stated the issue has been patched in later versions, but I would be wary about installing 3rd party tools, especially on servers (Remember Classic Shell’s rootkit?) as that would have completely mitigated this vulnerability. It’s also worth noting that they are unsure how someone modified their update packages hosted on their server. On top of that, they knew about the compromised update and waited a week to tell the public. (Avast estimated 2.2 million infected computers). Because of this above, I wouldn’t recommend updating CCleaner as a way to remove the infection, or would I advise to use their software moving forward.

Additional Information:
http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/